Bug 150072

Summary: Device motion and orientation should only be visible from the main frame
Product: WebKit Reporter: Dean Jackson <dino>
Component: New BugsAssignee: Dean Jackson <dino>
Status: RESOLVED FIXED    
Severity: Normal CC: commit-queue, dbates, dustin.kerstein, mkwst, _
Priority: P2    
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
Patch
none
Patch none

Description Dean Jackson 2015-10-12 18:32:56 PDT 
Device motion and orientation should only be visible from the main frame
Comment 1 Dean Jackson 2015-10-12 19:10:51 PDT 
Created attachment 262966 [details]
Patch
Comment 2 Dean Jackson 2015-10-12 19:24:25 PDT 
<rdar://problem/23082036>
Comment 3 Brent Fulgham 2015-10-13 13:00:06 PDT 
Comment on attachment 262966 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=262966&action=review

r=me. I think the duplicated test code could be a method, or perhaps even just a local variable, but the patch is fine as-is.

> Source/WebCore/page/DOMWindow.cpp:1717
> +            || (m_frame->mainFrame().document() && document()->securityOrigin()->canAccess(m_frame->mainFrame().document()->securityOrigin())))) {

It seems like this test (which is repeated three times in this patch) could work as a DOMWindow method (e.g., "bool DOMWindow::frameDoesHaveCompatibleSecurityOriginToMainFrame()")
Comment 4 Dean Jackson 2015-10-13 13:40:44 PDT 
Created attachment 263018 [details]
Patch
Comment 5 Dean Jackson 2015-10-13 14:53:32 PDT 
Committed r191008: <http://trac.webkit.org/changeset/191008>
Comment 6 Daniel Bates 2015-10-13 22:15:01 PDT 
Comment on attachment 263018 [details]
Patch

Clearing review flag as this patch was already landed per comment 5.
Comment 7 Stephen Underwood 2016-01-06 00:23:44 PST 
Hi Dean, Brent and Daniel,

I was actively using device motion and orientation from a child frame.

Is there a possibility of allowing an opt-in method for enabling access to device motion and orientation for the child frame?

As from my perspective I will always be serving my content requiring the device motion and orientation from a separate domain but always over HTTPS.

I noticed there is already an open ticket regarding such here https://bugs.webkit.org/show_bug.cgi?id=152299 

Just wanted to raise some awareness as this is quite critical to my business needs.

Kind Regards,
Stephen Underwood